diff options
author | Tobias Brunner <tobias@strongswan.org> | 2016-02-17 17:31:51 +0100 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2016-03-03 17:28:03 +0100 |
commit | 2f3c08d268a6ead9e7d9e74b523600d76e3e5722 (patch) | |
tree | 92c5feb3413000eec81b7e2777875ecaaaf92b34 /conf | |
parent | 904f93f65562fef83c945348e02fa24600a510ec (diff) | |
download | strongswan-2f3c08d268a6ead9e7d9e74b523600d76e3e5722.tar.bz2 strongswan-2f3c08d268a6ead9e7d9e74b523600d76e3e5722.tar.xz |
ikev1: Allow immediate deletion of rekeyed CHILD_SAs
When charon rekeys a CHILD_SA after a soft limit expired, it is only
deleted after the hard limit is reached. In case of packet/byte limits
this may not be the case for a long time since the packets/bytes are
usually sent using the new SA. This may result in a very large number of
stale CHILD_SAs and kernel states. With enough connections configured this
will ultimately exhaust the memory of the system.
This patch adds a strongswan.conf setting that, if enabled, causes the old
CHILD_SA to be deleted by the initiator after a successful rekeying.
Enabling this setting might create problems with implementations that
continue to use rekeyed SAs (e.g. if the DELETE notify is lost).
Diffstat (limited to 'conf')
-rw-r--r-- | conf/options/charon.opt | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/conf/options/charon.opt b/conf/options/charon.opt index a4e03d4af..382003644 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -61,6 +61,14 @@ charon.crypto_test.required = no charon.crypto_test.rng_true = no Whether to test RNG with TRUE quality; requires a lot of entropy. +charon.delete_rekeyed = no + Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). + + Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). + Reduces the number of stale CHILD_SAs in scenarios with a lot of rekeyings. + However, this might cause problems with implementations that continue to + use rekeyed SAs until they expire. + charon.dh_exponent_ansi_x9_42 = yes Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic strength. |